bug#74879: 30.0.92; trusted-content-p and trusted-files cannot be used for non-file buffers

[Daniel Mendler]

Eli Zaretskii <eliz@gnu.org> writes:

>> Cc: Stefan Monnier <monnier@iro.umontreal.ca>,
>>  Stefan Kangas <stefankangas@gmail.com>
>> Date: Sun, 15 Dec 2024 11:16:17 +0100
>> From:  Daniel Mendler via "Bug reports for GNU Emacs,
>>  the Swiss army knife of text editors" <bug-gnu-emacs@gnu.org>
>> 
>> Daniel Mendler <mail@daniel-mendler.de> writes:
>> 
>> > Thank you for the recent addition of `trusted-content-p'. Is there a
>> > possibility to use `trusted-content-p' in buffers which are not backed
>> > by a file? I use Flymake in *scratch* or similar buffers and it seems
>> > that this won't continue to work given that `trusted-content-p' needs a
>> > `buffer-file-truename'.
>> >
>> > My suggestion would be to replace `trusted-files' by a
>> > `trusted-buffer-function' which is a predicate function or a list of
>> > functions. The functions could then check a custom list of trusted files
>> > or a custom list of trusted buffers.
>> >
>> > Alternatively offer `trusted-files', `trusted-buffers' and
>> > `trusted-buffer-function`? `trusted-buffers' could for example rely on
>> > `buffer-match-p`.
>> 
>> I have also ported back `trusted-content-p' via Compat. I had the plan
>> to use `trusted-content-p' in external packages which could potentially
>> perform dangerous operations. This way the new feature can be used to
>> retroactively improve the safety even of older Emacs installations.
>> 
>> For example in my GNU ELPA Corfu package the plan was to check
>> `(trusted-content-p)' when starting auto completion. To be clear - Corfu
>> is safe by default, since auto completion is disabled by default.
>> However many people enable auto completion unconditionally in all
>> buffers.
>> 
>> Now with the limitation of `trusted-content-p' to file-backed buffers, I
>> cannot do this, since otherwise auto completion would be lost for
>> example in *scratch* buffers. Each package could invent its own trust
>> mechanism or alternatively one could limit the `trusted-content-p' check
>> to only file-backed buffers. Both alternatives would be worse than going
>> through the `trusted-content-p' standard mechanism.
>> 
>> Therefore by making the `trusted-content-p' mechanism too limited, we
>> get less safety than with a more flexible mechanism. Nevertheless I
>> would avoid creating a complex mechanism given that the mechanism is
>> supposed to be part of Emacs 30. The simplest approach I can think of
>> this this `trusted-buffer-function', a hook called by
>> `run-hook-with-args-until-success'. Later on trust functions can be
>> provided and added to the hook list. The trust functions could check
>> file lists, buffer lists, regexps etc. Users can also write their own
>> predicate functions.
>
> What do you envision trusted-buffer-function should do in a buffer
> that doesn't visit a file?

`trusted-buffer-function' should be a hook variable, which could be set
to multiple functions, e.g., #'trusted--files-p and
#'trusted--buffers-p. The function `trusted--files-p' would check the
variable `trusted-files' similar to the existing code in the emacs-30
branch.

The function `trusted--buffers-p' could check another variable
`trusted-buffers' which specifies a list of buffer name regexps or
probably even better a `buffer-match-p' condition. This way the user
could specify buffers which they consider safe, for example *scratch*.

In the end it is up to the user how the variables are configured, as is
already the case with `trusted-files'. The user must define which
directories/files/buffers they consider safe.

Daniel